Paul Squires on security and related topics

Main menu

Tag Archives: biometrics

There have been a couple of identity related stories in the media over the past couple of days that grabbed my attention. First was the (long awaited, on my part) “identity” connection with John Darwin, in which it’s finally been revealed that he used a “Day of the Jackal” style identity switch to get a new passport.

For those that don’t know, this method is simply one of getting a replacement birth certificate for someone born roughly the same time as yourself (so your physical age appears right for your new identity), preferably one who doesn’t have too many other formal records attached to them (Darwin managed to get a certificate for someone who died at a few months of age). All one needs to apply for a passport is, essentially, a birth certificate (which are public record). What I find amusing is that this sort of “attack” was supposed to have been stopped – the BBC has a story on it from over four years ago… (although I confess that I’ve not checked exactly when Darwin got his new passport).

Darwin’s exploits were only secondary in my thoughts in comparison to the latest scandal involving UK Government departments and data leakage. This time round it’s the DVLA (Driver and Vehicle Licensing Agency) in Northern Ireland who sent unencrypted disks, via public courier to the agency’s head office (Swansea), which have gone missing.

Whilst there was a huge outcry over the recent events involving child benefit data this seems to have attracted less attention, but still may result in some major problems. I concede that events involving people directly, especially bank account details and even more when it involves children’s details are more emotive, but much of the data leaked there was public record anyway (for anyone who thinks handing your bank details to a stranger is a bad idea I suggest you look at your chequebook sometime).

This case of data leakage contains car information – makes, models, colours, registration plates, chassis numbers &c – all of which is incredibly useful to someone wishing to clone a vehicle. Vehicle cloning is, apparently, on the increase, and the way that our systems handle this needs to be looked at. With the right information it wouldn’t be too difficult to make any of the same model car look like another – a quick respray and plate change should do it. The victim wouldn’t know until the fines start rolling in (or worse – the cloned vehicle is used for a more serious crime and the police come knocking at the door). Aside from the stupidity of sending unencrypted, critical, data through public networks (whatever the channel), there are two things that come to mind about this situation.

Firstly, this highlights the problems caused by having an automated justice system with a reliance on cameras, IT systems and “business logic”. It’s something I’ve commented on before, but we’ve lost the human touch in security and law enforcement – a well trained, experienced (and well paid) policeman with the ability to make decisions and trust their own judgement is far better than a computer – when something is “wrong” they can tell and take action, when someone innocent is “bending” the law they can take action without over-penalising them. If a vehicle is being used illegally there may be other ways to tell it’s cloned – most likely by cross-referencing the driver and car. This would require a stop and search, but with appropriately targetted action I don’t see the issue – and we take a far more scattergun approach to drink driving…

The second point is related to a comment I made previously about biometric identifiers in humans. Once an identifier has been cloned these are very difficult to correct for the victim – unenrollment is simply not possible. If someone uses my fingerprints for regular nefarious activity I can’t just change mine to avoid being arrested every few days – likewise, if my car is cloned I can’t (easily) change the major identifiers for it.

Essentially, in almost all areas of life, it is the reliance on automated systems, computers and oversight that creates the environment where identity fraud, car cloning (and worse crimes like human trafficking) can thrive. The presence of a human touch is the best deterrent to these crimes. I realise that modern life means a return to the days of seeing your bank manager to get a loan is unlikely – we have to deal with processes that scale well, but there has to be some element of humanity in every system – preferably close to where it interfaces with the people that really matter. Like everything else in security, it’s a trade-off.

This morning’s news sees a call from Lord Justice Sedley for all people in the UK including visitors to be required to submit DNA to the national database that is currently being populated. Sedley’s reasons for saying this are not primarily political, but more about fairness and removing the bias that exists in these systems, but regardless, I think this marks a dangerous move for the judiciary.

There are a number of potential problems with a DNA database, which will start to become more apparent as the number of records increases and technology moves on. A comment from Sedley demonstrates my biggest concern with any such database

It also means that a great many people who are walking the streets and whose DNA would show them guilty of crimes, go free

This displays the very real public opinion that DNA (along with fingerprints, for that matter) are infallible proof of guilt of a crime when, in fact, there can be errors made at any stage of the process. DNA gets around – look in my car, for example, there are DNA samples from me, my family, my colleagues, the guy who changed a tyre recently and probably many more. If my car becomes a crime scene just how many people will be under suspicion?

Taking this a step further, it’s already possible to plant DNA evidence (it’s easy enough to collect, as my car demonstrates) and at some point in the future will be a trivial task to synthesise it and no doubt to mask it as well. What needs to happen is that the police perform robust investigation, collecting real evidence and determining motive; DNA samples can never be anything other than circumstantial and should certainly not be used as prima facie evidence of guilt.

One of the biggest issues with any biometric identifier is that it is impossible to change – once my DNA (or my fingerprint) has been used for some nefarious purpose then I can never change – there could be someone who (within the bounds of scanning accuracy) is my genetic “twin” to whom I am permanently linked. Every crime he commits would result in my arrest! We’ve seen this situation with the no-fly lists using names (which admittedly are certainly not as unique as DNA).

As with many of these discussions, it’s not the database itself that’s the problem, but the purposes to which it can be put. Unfortunately no legal restraints can be put in place that will guarantee such a system will not be abused and therefore I have little choice but to criticise the initial implementation – as I’ve done already with other systems in our “database state”. I do have nothing to hide, but there is still plenty to fear from this.

Over the past week the use of biometrics in schools (in particular) has received a lot of media attention – one of the key uses being to “pay” for school meals. Such a system has some big advantages – the reduction in bullying and the loss of stigma for those children who receive subsidised meals are two key benefits (the social inclusion element was a matter actually mentioned at this event).

The usual arguments for both sides were bandied around the media. My own initial thought on the matter was that it probably isn’t such a bad thing – after all, the full fingerprint isn’t stored in the system and as long as data isn’t shared with other systems (the criminal justice IDENT1 programme, for instance) and is deleted at the appropriate time, then the privacy of the child can be maintained and the benefits realised (not that I have any faith at all in our Government to not actively encourage should data leakage).

It seems I wasn’t alone in this belief – Kim Cameron has written a series of posts on the topic (starting here in which some of the myths about convention biometrics are dealt with. This post in particular is instructive and shows how current biometric systems work – producing a template of the biometric with a known algorithm – against which a result is matched. For some reason I’d assumed that these systems worked more in the way of what I now know to be Biometric Encryption (link to PDF by Ann Cavoukian and Alex Stoianov), but this is obviously not the case!

Kim follows this up with a further explanation from Cavoukian and Stoianov which describes how easily standard biometric templates can be matched across discrete databases – even when there is no explicit link between them!

“The linking of the databases can be done offline using template-to-template matching, in a very efficient one-to-many mode.”

Kim concludes with the statement

I had not understood that you can so easily correlate conventional biometric templates across databases. I had thought the �fuzziness� of the problem would make it harder than it apparently is. This raises even more red flags about the use of conventional biometrics.

This is where my provisos on when this is acceptable come in – identity data and biometrics in particular need to handled with sensitivity (even more so when it concerns children), but even with the right political and economic safeguards the technology has to be correct. As things stand we have a scenario where inadequate technology is being used for unsuitable purposes under the umbrella of a “higher goal” that is ill advised at best.